Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Full Disclosure of Security Vulnerabilities

From: mlevenstein () spohncentral com
Date: 1 Nov 2007 13:11:31 -0000
With thousands of installations of this product, your client should address the issue with the vendor and insist on a 
patch.

Since the vendor has already worked with you on recreating the exploit and testing, perhaps the vendor is working on a 
patch. (They may plan to announce the vulnerability only when they release the fix for it.)

As to your client, you owe them disclosure of the security hole. But you would be working against the client's 
interests to make the issue public. 

The question is: Do you have fiduciary responsibility to the client? If so, you must put their interests first. 
Publicly disclosing that a software they use is seriously flawed could harm your client's business (and your reputation 
as an auditor).

Just my thoughts on the matter. I'm new to pen-testing and learning the business rules.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: